On Mon, 2003-04-21 at 17:55, James D. Parra wrote: > Hello, > > Try as I may, I cannot get packets to go through the firewall from the > public side to the private side. I have set up scripts that should work, as > written from Netfilter, but there must be something I am overlooking. Yep... ;^) > # TCP Rules > iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 1723 -j okay > iptables -A INPUT -p tcp -i eth1 -s 0/0 --destination-port 80 -j okay dport 80 not needed, since you're DNATting it anyway. > # (4) FORWARD chain rules > # Accept packets we want to forward > iptables -A FORWARD -i eth0 -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d > PVT.XXX.XXX.XXX --dport 80 \ > -m state --state NEW -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j > ACCEPT This last is also unneeded, since you have a more general state rule just above it. > # (6) PREROUTING chain rules > iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 80 -d PUB.XXX.XXX.XXX > --dport 80 \ > -j DNAT --to-destination PVT.XXX.XXX.XXX:80 > iptables -t nat -A PREROUTING -p tcp -d --dport 1723 -j DNAT > --to-destination PVT.XXX.XXX.XXX Ah, the meat of the problem... You're matching ONLY packets with BOTH dport AND sport of 80... Drop the "--sport 80" part and you should be all set to server http. j
